On Fri, May 6, 2011 at 15:08, Brian <ad44@cityscape.co.uk> wrote:
> On Fri 06 May 2011 at 13:48:23 +0300, Dotan Cohen wrote:
>
>> However, keys are good to prevent brute-force attacks. Think of it
>> like a 256-character password using the entire ASCII field. Also, keys
>> are not susceptible to keyloggers.
>
> I'm unsure whether you mean 'prevent' because neither keys nor passwords
> can stop brute forcing attempts. If you mean a key (256 characters) is
> stronger than a password (20 characters) I'd agree. But the key is no
> more secure than the password. Not unless the attacker has considerably
> more than the allotted three score years and ten to look forward to.
> George may be past caring by then, though.
>
Agreed, a strong password is good enough to prevent a brute force
attack for all practical purposes.
> Keyloggers would get the key passphrase too.
Useless without the key itself.
> And the USB stick would
> have its contents pilfered.
Agreed.
> So, keys don't appear to give any advantage
> over passwords on an untrusted machine.
>
Agreed that for purposes of saying "nothing was taken" then the key
gives not advantage. However, if the machine is only pilfering USB
contents (unlikely) or only has a keylogger (actually very likely)
then using a key will mitigate.
--
Dotan Cohen
http://gibberish.co.ilhttp://what-is-what.com